Cylance Ransomware Technical Analysis

This blog post comes from the “Cylance Ransomware Technical Analysis Report” by the Brandefense Research Team. For more details about the analysis, download the report.

Scope

The report analyzes the executable file of Cylance ransomware targeting Linux systems, but there is also a version targeting Windows operating systems. 

Overview

File Name: d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c.elf
MD5: 4601076b807ed013844ac7e8a394eb33
SHA-1: 933ad0a7d9db57b92144840d838f7b10356c7e51
SHA256: d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c

Penetratin Into System

Attackers looking to infiltrate servers and IoT platforms using ELF malware cannot rely on end-user interaction or phishing emails to install malware on their behalf, a widely expected behavior on Windows systems. This is because Linux environments are used in server and/or IoT devices with little end-user interaction, and attackers target these environments. 


Below, we have outlined how ELF malware can potentially infect systems.

  • Exploiting the Vulnerabilities

Attackers will target vulnerable and unpatched publicly available services or application components to gain access to systems. In addition to vulnerabilities, misconfigurations implemented on the services can also provide an entry point for attackers using ELF malware.

  • Usage of Compromised Credentials 

The attacker can use default or compromised credentials to access the system. Techniques such as password spraying and brute force are frequently used for this. 

Conclusion

The lack of a data leak site or support page, as with popular ransomware, suggests that the ransomware analyzed is still in its early stages, but given the increase in ransomware attacks targeting both Windows and Linux systems, it is thought that threat actors are trying to catch up with the trend.

Download YARA Rules and IoCs from GitHub.

This blog post comes from the “Mystic Stealer Technical Analysis Report” by the Brandefense Research Team. For more details about the analysis, download the report.